Monday, May 3, 2010

More Experiments with Master File Table Timestamps

I had an anonymous comment on my Tampering with Master File Table Records post referencing the Timestomp utility available in Metasploit. Timestomp is an anti-forensics utility used to change the date/time metadata stored in the $Standard_Information Attribute of the Master File Table. I experimented with the utility prior to the previous post but had some issues getting it to run properly on Windows 7. Moreover, Timestomp does not edit the $File_Name Attribute (MACE) values. The commenter does point out and interesting workaround noted on the Timestomp wiki however.

Moving a file post manipulation with Timestomp copies all four of the $Standard_Information Attribute time values to the $File_Name Attribute Attribute values. Once moved, you must change the SI attribute values again. Staying with using the existing tools available on Windows 7, I tested using the Move-Item Cmdlet.

I verified again by carving the $MFT out and using analyzeMFT to parse the contents. The following is the output of the $MFT record for our malicious file verifying that all eight date values have been edited;

Rob T. Lee also recently posted some research he has been doing on Windows 7 $MFT timestamp entries. His findings to date seem to support the aforementioned behavior. It will be interesting to see what additional behavior he finds. Keep the comments coming!

No comments:

Post a Comment

About Me

Infosec geek from Boston, MA with interests in hacking, incident response, digital forensics, and malware analysis. I also enjoy single malt scotch and a good cigar. The purpose of this blog is to get random ideas and thoughts out of my head and onto a medium to share. I also tend to rant quite a bit. Hopefully someone will find it informative or entertaining.

Labels

Followers

Disclaimer

This is a personal blog. The views and opinions expressed here represent my own and not those of any institutions or organizations that I may be affiliated with. This blog may include hyperlinks or comments that link to other websites operated by third parties. I am in no way responsible for the content of linked sites or any suckage of products or services offered by the owners of these sites. The content of this blog represents a snapshot in time of personal thoughts and ideas I decided to share with the hope it may stimulate more dialog on the subject matter covered. That is all it is. I hope you find it interesting and thought provoking!